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Summary  of  Project 

There  exists  a  critical  gap  in  current  insider  threat  technology.  To  date,  efforts  on  insider 
threat  have  not  seriously  taken  into  account  the  impact  of  deception  by  the  insider. 
Needless  to  say,  without  a  clear  understanding  of  this  impact  and  mechanisms  for 
deception  detection,  technology  for  handling  insider  threat  attacks  (beyond  simple 
attacks)  can  only  be  reactive  in  nature  that  will  be  often  too  slow  and  too  late  to  prevent 
or  even  correct  the  damage  done.  In  this  project,  we  have  identified  a  number  of 
potential  technology  and  research  avenues  that  can  provide  an  essential  avenue  for 
developing  a  dynamic  and  proactive  response  to  insider  threats.  The  two  primary 
technologies  of  interest  are  user  modeling  and  deception  detection.  First,  the  application 
of  user  modeling  technology  in  a  novel  manner  provides  unique  capabilities  in 
recognizing  various  classes  of  insider  threats.  User  modeling  in  the  past  has  typically 
been  employed  to  assist  the  user,  to  capitalize  on  knowledge  about  his/her  previous 
behavior  and  current  roles  to  infer  goals,  motives,  and  intentions  in  order  to  anticipate 
(predict)  and  facilitate  subsequent  actions.  We  observed  that  such  prediction  can  be  used 
not  only  to  anticipate  a  future  course  for  the  purpose  of  facilitating  pursuit  of  that  course, 
but  also  to  detect  deviations  from  that  course.  In  the  context  of  insider  threat,  a  deviation 
of  observed  behavior  from  that  predicted  by  a  user  model  is  a  signal,  one  that  might 
indicate  that  the  nominal  user  has  been  supplanted,  or  is  functioning  under  directions 
from  someone  else.  Predicting  the  goals  and  intentions  of  the  user’s  actions  serves  as  the 
essential  baseline  critical  to  positively  identifying  deviations  and  to  achieving  an  accurate 
determination  of  the  nature  and  goals  of  the  given  insider  threat  situation.  The  second 
technology  is  the  detection  of  deception,  where  different  levels  and  types  of  deception 
and  their  indicators  are  modeled.  At  the  most  direct  level  of  indicators,  both 
physiological/biometric  and  behavioral  traits  have  been  used  in  various  ways  to  recognize 
masquerades  and  other  forms  of  deceptive  behavior.  However,  they  have  been  unable  to 
identify  the  type  and  goals  of  the  deception  ranging  from  simple  data  access  to 
operational  disruption  to  misinfonnation  and  intelligence  diversion.  Deception  goals  and 
courses  of  action  can  be  applied  in  conjunction  with  our  knowledge  of  the  potential  user 
activities  and  user  model.  This  will  permit  us  to  anticipate  the  potential  courses  of 
actions  of  the  insider  threat  and  to  deal  with  them  in  an  effective  and  timely  manner.  The 
merger  of  these  two  technologies  provides  a  key  element  to  properly  securing  systems 
against  insider  threats.  Both  user  modeling  and  deception  detection  as  we  have  described 
can  be  applied  at  any  level  of  abstraction  to  ultimately,  in  the  long  run,  determine  the 
overall  intent  and  goals  of  the  deception  and  deliver  an  understanding  of  the  user’s 


behaviors  and  actions.  With  such  an  analytic  capability,  we  believe  that  efficient  and 
effective  real-time  responses  to  insider  threat  can  ultimately  be  achieved. 

In  what  follows,  we  briefly  describe  our  major  research  contributions  for  this  effort. 

1.  Insider  Threat  in  Intelligence  Analyses 

Our  goal  is  to  detect  malicious  insiders  among  a  group  of  analysts  in  the  Intelligence 
Community.  The  biggest  challenge  is  in  determining  indicators  of  abnormal  behaviors  in 
analyst  activities.  The  insiders  manipulate  the  information  they  present  in  their  reports, 
which  are  subtle  malicious  actions  to  characterize.  The  characterization  of  these 
malicious  actions  clearly  requires  an  analysis  of  the  contents  of  their  reports.  However, 
we  must  also  measure  the  behavioral  consistencies  between  the  information  the  analysts 
have  collected  against  the  reports  they  have  written.  We  have  proposed  a  framework  for 
intent-driven  insider  threat  detection.  The  heart  of  the  framework  is  the  IPC  user 
modeling  technique  which  captures  analyst’s  interests,  knowledge  context,  and 
preferences  over  time.  This  technique  allows  us  to  describe  analysts’  behavioral 
consistencies  in  a  quantitative  way,  which  is  key  to  addressing  our  main  challenge.  We 
tested  our  method  on  the  APEX  ’07  test  bed  which  contained  eight  benign  analysts  and 
five  simulated  malicious  insiders.  The  empirical  evaluation  demonstrated  that  our 
framework  was  effective  in  identifying  insider  threats.  The  results  showed  so  far  that  we 
were  capable  of  identifying  all  five  malicious  insiders  without  raising  any  false  positives. 

Papers:  [Santos  et  al.,  2012a][Santos  et  al.,  2009a][Santos  et  al.,  2008] 

2.  Deception  Detection  in  Human  Reasoning 

Deception  detection  plays  an  important  role  in  safely  and  reliably  using  multientity 
advisory  models  such  as  multiagent  intelligence  systems.  Unfortunately,  deception 
detection  is  extremely  challenging.  The  average  detection  rate  by  humans  alone  is  only 
above  chance,  and  the  skill  for  detection  has  been  shown  to  be  difficult  to  improve  even 
with  training.  In  psychological  studies,  deception  detection  is  typically  based  on 
examining  a  person’s  nonverbal  cues  and  expressions  such  as  facial  expressions, 
gestures,  and  movements.  Our  approach  instead  is  focused  on  the  agent’s  reasoning 
process. 

We  first  detect  deception  by  observing  the  correlations  between  agents,  which  can  be 
used  to  make  a  reasonable  prediction  of  the  agents’  reasoning  processes.  Our  experiments 
demonstrate  the  effectiveness  of  this  method  and  show  the  impact  of  different  factors  on 
detection  rate.  We  further  conduct  some  preliminary  experiments  to  explore  its 
performance  at  detecting  both  disinformation  and  misinformation  and  that  of  identifying 
more  than  one  deceiver  in  the  system. 

Next,  a  novel  method  was  developed  to  detect  deception  by  identifying  inconsistencies, 
explaining  the  reasoning  behind  the  inconsistencies,  and  measuring  the  likelihood  of 
deception  based  on  cues  in  reasoning.  The  initial  experiment  demonstrated  the 


effectiveness  of  the  approach  in  identifying  and  explaining  communications  containing 
inconsistencies.  Reasoning  cues  that  can  best  discriminate  deception  from  truth  are 
further  proposed,  and  aspects  of  the  verification  and  measurement  of  such  cues  as 
possible  future  directions  of  work  have  been  explored. 

Papers:  [Li  and  Santos,  2012][Santos  and  Li,  201  l][Li  and  Santos,  201  l][Santos,  Li,  & 
Yuan,  2008][Yuan,  2007] 

3.  Impact  of  Cognitive  Styles 

A  user’s  cognitive  style  has  been  found  to  affect  how  they  search  for  information,  how 
they  analyze  the  information,  and  how  they  make  decisions  in  an  analytical  process.  We 
have  shown  that  we  can  use  Hidden  Markov  Models  (HMM)  to  dynamically  capture  a 
user’s  cognitive  style  by  automatically  exploring  the  sequence  of  actions  and  relevant 
information  with  respect  to  the  content  of  the  actions.  The  evaluation  results  show  that 
our  HMM  model  achieves  an  average  of  72%  recall  with  the  APEX  07  collection.  We 
also  studied  the  link  between  a  user’s  cognitive  style  and  the  various  attributes  relating  to 
document  content  during  an  analytical  process.  The  results  show  that  the  “analytic”  group 
tends  to  focus  on  documents  with  significantly  more  specific  information  than  the 
“wholist”  group.  The  specific/general  attribute  of  documents  can  help  us  in  classifying  a 
user’s  cognitive  styles  automatically.  We  have  applied  this  notion  of  cognitive  style  to 
help  better  explain  the  variations  in  intelligence  analysis  which  is  critical  to  detecting 
both  insider  threat  and  deception. 

Papers:  [Nguyen  et  al.,  2011][Santos  et  al.,  2010][Nguyen  et  al.,  2008] 

4.  Fusing  Multiple  (Potentially  Conflicting)  Source  of  Knowledge  Under 
Uncertainty 

This  work  addresses  the  challenges  of  information/knowledge  fusion  from  multiple 
(possibly  conflicting)  sources.  For  example,  consider  that  there  are  multiple  experts 
(sources)  providing  knowledge-based  models  of  the  same  scenario/situation  and  we  wish 
to  aggregate  this  information  in  order  to  assist  in  decision-making.  There  are  several 
problems  we  may  run  into  by  naively  merging  the  information  from  each  source  -  the 
experts  may  disagree  on  the  probability  (uncertainty)  of  a  certain  event  or  they  may 
disagree  on  the  direction  of  causality  between  two  events  (e.g.,  one  thinks  A  causes  B 
while  another  thinks  B  causes  A);  the  experts  may  even  disagree  on  the  entire  structure  of 
dependencies  among  a  set  of  variables  in  a  (probabilistic)  network.  The  challenge  here  is 
to  develop  a  semantically  sound  and  computationally  effective  methodology  that 
explicitly  accounts  for  the  uncertainty  and  conflicts.  In  our  solution  to  this  problem,  we 
represent  the  knowledge-based  models  as  Bayesian  Knowledge  Bases  (BKBs)  and 
provide  an  algorithm  called  Bayesian  knowledge  fusion  that  allows  the  fusion  of  multiple 
BKBs  into  a  single  BKB  that  retains  the  information  from  all  input  sources.  This  allows 
for  easy  aggregation  and  de-aggregation  of  information  from  multiple  expert  sources  and 
facilitates  multi-expert/source  decision  making  by  providing  a  framework  in  which  all 
opinions  can  be  preserved  and  reasoned  over.  The  problem  of  fusing  multiple  conflicting 


sources  occurs  in  many  other  domains  from  sensor/information  fusion  to  intelligence 
analyses.  This  work  establishes  a  mathematical  foundation  for  hypothesizing  about 
insider  threat  and  deception  intentions  that  underlies  human  reasoning.  We  have  also 
extended  the  theory  to  account  for  time  and  uncertainty. 

Papers:  [Santos  et  al.,  20 12b] [Santos,  Gu,  &  Santos,  201  la] [Santos,  Gu,  &  Santos, 
201  lb][Santos  &  Jurmain,  201  l][Santos,  Wilkinson,  &  Santos,  201  l][Santos,  Wilkinson, 
&  Santos,  2009][Santos,  Li,  &  Wilkinson,  2009][Santos  et  al.,  2009b] 
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